CategoryArticles

8 Things To Avoid When Building Account Takeover Prevention In-House

8

In the past two years, account takeover attacks have evolved dramatically. One recurring theme we’ve seen is that gaps often emerge when the security program’s focus is misplaced. For us, it starts and ends with protecting the user—which means the emphasis has to be on protecting the user account. But great security doesn’t have to come at the expense of great UX. We put...

Account Takeovers Happen At Login. Not The Transaction

A

Account takeovers (ATOs) are unique in that by the time most companies become aware they have a problem, it’s already too late: When people report back to the company that they’ve been compromised, or they see fraud in the aftermath of an ATO. Ironically, these are the metrics fraud vendors are using to measure the number of ATOs they’ve seen. But by then, the challenge becomes one of clean...

Reactive vs Proactive Account Takeover Prevention

R

A few years ago, when we launched Castle during Y Combinator, it wasn’t uncommon for us to talk to consumer-facing companies and be told that they didn’t have an ATO problem. But this was almost never actually the case: They invariably had compromised accounts that these companies’ fraud tools just hadn’t successfully detected. In some cases, we actually found hundreds of thousands of compromised...

Stop Calling It Account Takeover “Fraud”

S

A few years ago, when it started to become clear that account takeover (ATO) was becoming a threat, it was understandable that it was seen as a fraud problem. After all, the identity theft inherent in taking over a user’s account does, on some level, amount to fraud. But as the ATO problem has grown, impacting nearly every online business, it’s become clear that we need a mindset shift in how we...

We shouldn’t focus on changing user behavior—but on understanding it

W

The state of online identity is bleak—mostly because it relies on an outdated username and password model. Each year, 1 billion credentials are leaked or breached, and 73 percent of passwords are being reused across sites. These dynamics have led to an increase in account takeovers (ATOs), in which a hacker tries stolen credentials across a variety of websites and takes over entire accounts to...